It is not a new vulnerability or something that defies existing security best practices against SQL Injection - use SQL Parameters, input validation, least privilege principle, but just highlights another way to break weak code.